API KEY SECURITY FOR AI AGENTS
RubberAPI proxies your OpenRouter calls so your AI agents never touch your API key. Spend limits. IP locking. Instant revocation. Two env vars to set up.
Be honest. This is sitting on a VPS somewhere right now.
# .env on your OpenClaw VPS OPENROUTER_API_KEY=sk-or-v1-real-key-with-unlimited-access # no spend limit # no expiry # no audit trail # no way to revoke without rotating for everything # one prompt injection away from a $10,000 bill
From your local machine, create a scoped proxy key with the constraints you want.
$ rubberapi push "sk-or-v1-your-real-key" \ --daily-limit 5.00 \ --models "claude-sonnet,claude-haiku" \ --inactive-expiry 7d โ Proxy key created Key: rk_live_a8f3k2x9... Endpoint: https://rubberapi.fly.dev/v1 Budget: $5.00/day Models: claude-sonnet, claude-haiku
Drop-in replacement. Zero code changes. Works with OpenClaw, LangChain, CrewAI, or anything OpenAI-compatible.
# Before (raw key on VPS โ terrifying) OPENROUTER_API_KEY=sk-or-v1-your-real-key OPENROUTER_BASE_URL=https://openrouter.ai/api/v1 # After (proxy key โ your real key never touches the VPS) OPENROUTER_API_KEY=rk_live_a8f3k2x9 OPENROUTER_BASE_URL=https://rubberapi.fly.dev/v1
Your agent runs normally. RubberAPI handles auth, enforces limits, and logs everything. Your real key never leaves the proxy.
$ rubberapi status rk_live_a8f3k2x9 Status: Active IP locked: 142.93.xx.xx (auto-pinned on first use) Spent: $2.34 / $5.00 today Requests: 47 today Top model: claude-sonnet (94%) Last used: 3 minutes ago # Something wrong? One command. $ rubberapi kill rk_live_a8f3k2x9 โ Key revoked. All requests will be denied immediately.
None of them require your agents to change a single line of code.
Proxy key auto-binds to the first IP that uses it. Stolen key from a different machine? Useless. Reset anytime with rubberapi repin.
Cap how much any proxy key can spend per day. Resets midnight UTC. Hit the limit? Requests are denied until tomorrow. No surprise bills.
Restrict which models agents can call. Let your summarizer use Haiku but block it from burning money on Opus. Per-key model control.
Forgot about a proxy key? It auto-revokes after N days of no use. No more zombie keys on abandoned VPS instances.
One command from your phone, laptop, anywhere. rubberapi kill โ key is dead, all requests denied immediately. No key rotation needed.
Every request logged: which proxy key, which model, input/output tokens, cost, source IP, timestamp. Know exactly what happened.
| Raw Key on VPS | With RubberAPI | |
|---|---|---|
| API key on machine | Your real key | Disposable proxy key |
| VPS compromised | Unlimited access forever | Capped, IP-locked, killable |
| Spend control | None | Daily + lifetime caps |
| Revoke one agent | Rotate key everywhere | Kill one key, others unaffected |
| Audit trail | None | Every request logged |
| Code changes needed | โ | Two env vars |
Because they will. The question is how bad it gets.
Without RubberAPI
Attacker has your real API key. Unlimited spend. No expiry. You don't know until the bill arrives.
With RubberAPI
Attacker has a proxy key that's IP-locked to the VPS, capped at $5/day, and you kill it the moment you notice.
Without RubberAPI
Agent burns through your entire balance calling Opus in a tight loop. You wake up to a $2,000 bill.
With RubberAPI
Agent hits the $5 daily limit after a few minutes. Requests denied. You get a webhook alert. Damage: $5.
Without RubberAPI
That test VPS you forgot about 3 months ago still has your key. Anyone who finds it has permanent access.
With RubberAPI
Proxy key auto-expired after 7 days of inactivity. The key is dead. Nothing to exploit.
Without RubberAPI
Malicious input tricks your agent into exfiltrating the API key via a crafted response or tool call.
With RubberAPI
Agent only has the proxy key. Even if exfiltrated, it's IP-locked, spend-capped, and killable in one command.
Start free. Scale when you need to.
Free
1 proxy key
Pro
10 proxy keys
Enterprise
Unlimited keys
Set up in 60 seconds. Your agents won't notice the difference โ but your wallet will.